Improved UAuthStateManager

mckaragoz · mckaragoz · commit e8aa689173e4 · 2026-02-14T16:05:26.000+03:00
diff --git a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Routes.razor b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Routes.razor
@@ -1,8 +1,8 @@
-﻿<CascadingAuthenticationState>
+﻿<UAuthApp>
     <Router AppAssembly="typeof(Program).Assembly" NotFoundPage="typeof(Pages.NotFound)">
         <Found Context="routeData">
             <AuthorizeRouteView RouteData="routeData" DefaultLayout="typeof(Layout.MainLayout)" />
             <FocusOnNavigate RouteData="routeData" Selector="h1" />
         </Found>
     </Router>
-</CascadingAuthenticationState>
+</UAuthApp>
diff --git a/samples/blazor-server/CodeBeam.UltimateAuth.Sample.BlazorServer/Components/Pages/Home.razor b/samples/blazor-server/CodeBeam.UltimateAuth.Sample.BlazorServer/Components/Pages/Home.razor
@@ -2,31 +2,34 @@
 @attribute [Authorize]
 
 @inject AuthenticationStateProvider AuthProvider
-@inject IUAuthStateManager StateManager
 @inject IUAuthClient UAuthClient
 
-<MudPage FullScreen="FullScreen.Full">
+<MudPage Class="mud-width-full" FullScreen="FullScreen.Full" Column="1" Row="1">
     <MudGrid>
         <MudItem xs="12" sm="6">
             <MudPaper Class="pa-6">
 
                 <MudAvatar Size="Size.Large" Color="Color.Primary">
-                    @(_aspNetUserName?.Substring(0, 1).ToUpper())
+                    @(AuthState?.UserKey?.Value.Substring(0, 2).ToUpper())
                 </MudAvatar>
 
-                <MudText Typo="Typo.h5" Class="mt-2">
-                    @_aspNetUserName
-                </MudText>
-
                 <MudDivider Class="my-4" />
 
-                <MudText><b>ASP.NET Authenticated:</b> @_aspNetAuthenticated</MudText>
-                <MudText><b>UAuth Authenticated:</b> @_uAuthAuthenticated</MudText>
+                <MudText Typo="Typo.h6"><b>ASP.NET Core State</b></MudText>
+                <MudText>IsAuthenticated: @_aspNetCoreState?.Identity?.IsAuthenticated</MudText>
+                <MudText>User Id: @_aspNetCoreState?.FindFirst(System.Security.Claims.ClaimTypes.NameIdentifier)?.Value</MudText>
+                <MudText>User Name: @_aspNetCoreState?.Identity?.Name</MudText>
+                <MudText>Authentication Type: @_aspNetCoreState?.Identity?.AuthenticationType</MudText>
+                <MudText>Is Admin: @_aspNetCoreState?.IsInRole("Admin")</MudText>
 
-                <MudText><b>UserKey:</b> @_uAuthUserKey</MudText>
-                <MudText><b>Client Profile:</b> @_clientProfile</MudText>
-                <MudText><b>Tenant:</b> @_tenant</MudText>
+                <MudDivider Class="my-4" />
 
+                <MudText Typo="Typo.h6"><b>UAuth State</b></MudText>
+                <MudText>IsAuthenticated: @AuthState.IsAuthenticated</MudText>
+                <MudText>UserKey: @AuthState.UserKey</MudText>
+                <MudText>Tenant: @AuthState.Tenant</MudText>
+                <MudText>Authenticated At: @AuthState.AuthenticatedAt</MudText>
+                <MudText>Roles: @string.Join(", ", AuthState.Claims.Roles)</MudText>
             </MudPaper>
         </MudItem>
 
@@ -65,5 +68,4 @@
             </MudPaper>
         </MudItem>
     </MudGrid>
-
 </MudPage>
diff --git a/samples/blazor-server/CodeBeam.UltimateAuth.Sample.BlazorServer/Components/Pages/Home.razor.cs b/samples/blazor-server/CodeBeam.UltimateAuth.Sample.BlazorServer/Components/Pages/Home.razor.cs
@@ -1,27 +1,24 @@
-﻿namespace CodeBeam.UltimateAuth.Sample.BlazorServer.Components.Pages;
+﻿using CodeBeam.UltimateAuth.Client;
+using Microsoft.AspNetCore.Components;
+using Microsoft.AspNetCore.Components.Authorization;
+using System.Security.Claims;
+
+namespace CodeBeam.UltimateAuth.Sample.BlazorServer.Components.Pages;
 
 public partial class Home
 {
-    private string? _aspNetUserName;
-    private bool _aspNetAuthenticated;
-    private bool _uAuthAuthenticated;
-    private string? _uAuthUserKey;
-    private string? _clientProfile;
-    private string? _tenant;
-
-    protected override async Task OnInitializedAsync()
-    {
-        var state = await AuthProvider.GetAuthenticationStateAsync();
-        var user = state.User;
+    private ClaimsPrincipal? _aspNetCoreState;
 
-        _aspNetAuthenticated = user.Identity?.IsAuthenticated == true;
-        _aspNetUserName = user.Identity?.Name;
+    [CascadingParameter]
+    public UAuthState AuthState { get; set; } = default!;
 
-        var uAuth = StateManager.State;
+    [CascadingParameter]
+    Task<AuthenticationState> AuthenticationStateTask { get; set; } = default!;
 
-        _uAuthAuthenticated = uAuth?.IsAuthenticated == true;
-        _uAuthUserKey = uAuth?.UserKey?.ToString();
-        _tenant = uAuth?.Tenant.Value;
+    protected override async Task OnInitializedAsync()
+    {
+        var state = await AuthenticationStateTask;
+        _aspNetCoreState = state.User;
     }
 
     private async Task Logout()
diff --git a/samples/blazor-server/CodeBeam.UltimateAuth.Sample.BlazorServer/Components/Routes.razor b/samples/blazor-server/CodeBeam.UltimateAuth.Sample.BlazorServer/Components/Routes.razor
@@ -1,8 +1,8 @@
-﻿<UAuthAuthenticationState>
+﻿<UAuthApp>
     <Router AppAssembly="typeof(Program).Assembly" AdditionalAssemblies="new[] { typeof(UAuthClientMarker).Assembly }">
         <Found Context="routeData">
             <AuthorizeRouteView RouteData="routeData" DefaultLayout="typeof(Layout.MainLayout)" />
             <FocusOnNavigate RouteData="routeData" Selector="h1" />
         </Found>
     </Router>
-</UAuthAuthenticationState>
+</UAuthApp>
diff --git a/samples/blazor-standalone-wasm/CodeBeam.UltimateAuth.Sample.BlazorStandaloneWasm/App.razor b/samples/blazor-standalone-wasm/CodeBeam.UltimateAuth.Sample.BlazorStandaloneWasm/App.razor
@@ -3,7 +3,7 @@
 <MudSnackbarProvider />
 <MudDialogProvider />
 
-<UAuthAuthenticationState>
+<UAuthApp>
     <Router AppAssembly="@typeof(App).Assembly">
         <Found Context="routeData">
             <AuthorizeRouteView RouteData="@routeData" DefaultLayout="@typeof(MainLayout)" />
@@ -16,4 +16,4 @@
             </LayoutView>
         </NotFound>
     </Router>
-</UAuthAuthenticationState>
+</UAuthApp>
diff --git a/src/CodeBeam.UltimateAuth.Client/Authentication/IUAuthStateManager.cs b/src/CodeBeam.UltimateAuth.Client/Authentication/IUAuthStateManager.cs
@@ -16,7 +16,7 @@ public interface IUAuthStateManager
     /// Ensures the authentication state is valid.
     /// May call server validate/refresh if needed.
     /// </summary>
-    Task EnsureAsync(CancellationToken ct = default);
+    Task EnsureAsync(bool force = false, CancellationToken ct = default);
 
     /// <summary>
     /// Called after a successful login.
diff --git a/src/CodeBeam.UltimateAuth.Client/Authentication/UAuthState.cs b/src/CodeBeam.UltimateAuth.Client/Authentication/UAuthState.cs
@@ -1,5 +1,6 @@
 ﻿using CodeBeam.UltimateAuth.Core.Contracts;
 using CodeBeam.UltimateAuth.Core.Domain;
+using CodeBeam.UltimateAuth.Core.Extensions;
 using CodeBeam.UltimateAuth.Core.MultiTenancy;
 using System.Security.Claims;
 
@@ -45,26 +46,19 @@ private UAuthState() { }
 
     internal void ApplySnapshot(AuthStateSnapshot snapshot, DateTimeOffset validatedAt)
     {
-        if (string.IsNullOrWhiteSpace(snapshot.UserKey))
-        {
-            Clear();
-            return;
-        }
-
-        UserKey = CodeBeam.UltimateAuth.Core.Domain.UserKey.FromString(snapshot.UserKey);
-        Tenant = snapshot.Tenant;
+        UserKey = snapshot.Identity.UserKey;
+        Tenant = snapshot.Identity.Tenant;
         Claims = snapshot.Claims;
 
         IsAuthenticated = true;
 
-        AuthenticatedAt = snapshot.AuthenticatedAt;
+        AuthenticatedAt = snapshot.Identity.AuthenticatedAt;
         LastValidatedAt = validatedAt;
         IsStale = false;
 
         Changed?.Invoke(UAuthStateChangeReason.Authenticated);
     }
 
-
     internal void MarkValidated(DateTimeOffset now)
     {
         if (!IsAuthenticated)
@@ -104,15 +98,16 @@ internal void Clear()
     /// </summary>
     public ClaimsPrincipal ToClaimsPrincipal(string authenticationType = "UltimateAuth")
     {
-        if (!IsAuthenticated)
+        if (!IsAuthenticated || UserKey is null)
             return new ClaimsPrincipal(new ClaimsIdentity());
 
-        var identity = new ClaimsIdentity(
-            Claims.AsDictionary()
-                  .Select(kv => new Claim(kv.Key, kv.Value)),
-            authenticationType);
+        var claims = Claims.ToClaims().ToList();
+        claims.Add(new Claim(ClaimTypes.NameIdentifier, UserKey.Value));
+
+        if (!string.IsNullOrWhiteSpace(Claims.Get(ClaimTypes.Name)))
+            claims.Add(new Claim(ClaimTypes.Name, Claims.Get(ClaimTypes.Name)!));
 
+        var identity = new ClaimsIdentity(claims, authenticationType, ClaimTypes.Name, ClaimTypes.Role);
         return new ClaimsPrincipal(identity);
     }
-
 }
diff --git a/src/CodeBeam.UltimateAuth.Client/Authentication/UAuthStateManager.cs b/src/CodeBeam.UltimateAuth.Client/Authentication/UAuthStateManager.cs
@@ -18,9 +18,9 @@ public UAuthStateManager(IUAuthClient client, IClock clock, IUAuthClientBootstra
         _bootstrapper = bootstrapper;
     }
 
-    public async Task EnsureAsync(CancellationToken ct = default)
+    public async Task EnsureAsync(bool force = false, CancellationToken ct = default)
     {
-        if (State.IsAuthenticated && !State.IsStale)
+        if (!force && State.IsAuthenticated && !State.IsStale)
             return;
 
         await _bootstrapper.EnsureStartedAsync();
@@ -51,4 +51,6 @@ public void MarkStale()
     {
         State.MarkStale();
     }
+
+    public bool NeedsValidation => !State.IsAuthenticated || State.IsStale;
 }
diff --git a/src/CodeBeam.UltimateAuth.Client/Components/UAuthApp.razor b/src/CodeBeam.UltimateAuth.Client/Components/UAuthApp.razor
@@ -8,7 +8,7 @@
 @inject IUAuthClientBootstrapper Bootstrapper
 
 <CascadingAuthenticationState>
-    <CascadingValue Value="@_uauthState" IsFixed="false">
+    <CascadingValue Value="@StateManager.State" IsFixed="false">
         @ChildContent
     </CascadingValue>
 </CascadingAuthenticationState>
diff --git a/src/CodeBeam.UltimateAuth.Client/Components/UAuthApp.razor.cs b/src/CodeBeam.UltimateAuth.Client/Components/UAuthApp.razor.cs
@@ -2,10 +2,9 @@
 
 namespace CodeBeam.UltimateAuth.Client;
 
-public partial class UAuthAuthenticationState
+public partial class UAuthApp
 {
     private bool _initialized;
-    private UAuthState _uauthState = UAuthState.Anonymous();
 
     [Parameter]
     public RenderFragment ChildContent { get; set; } = default!;
@@ -21,19 +20,20 @@ protected override async Task OnAfterRenderAsync(bool firstRender)
         _initialized = true;
         //await Bootstrapper.EnsureStartedAsync();
         await StateManager.EnsureAsync();
-        _uauthState = StateManager.State;
 
         StateManager.State.Changed += OnStateChanged;
     }
 
-    private void OnStateChanged(UAuthStateChangeReason _)
+    private void OnStateChanged(UAuthStateChangeReason reason)
     {
-        //StateManager.EnsureAsync();
-        if (_ == UAuthStateChangeReason.MarkedStale)
+        if (reason == UAuthStateChangeReason.MarkedStale)
         {
-            StateManager.EnsureAsync();
+            _ = InvokeAsync(async () =>
+            {
+                await StateManager.EnsureAsync();
+            });
         }
-        _uauthState = StateManager.State;
+
         InvokeAsync(StateHasChanged);
     }
 
diff --git a/src/CodeBeam.UltimateAuth.Core/Contracts/Auth/AuthIdentity.cs b/src/CodeBeam.UltimateAuth.Core/Contracts/Auth/AuthIdentity.cs
@@ -3,12 +3,10 @@
 
 namespace CodeBeam.UltimateAuth.Core.Contracts;
 
-public sealed record AuthStateSnapshot
+public sealed record AuthIdentity
 {
-    public UserKey UserKey { get; init; }
-    public TenantKey Tenant { get; init; }
-
-    public ClaimsSnapshot Claims { get; init; } = ClaimsSnapshot.Empty;
-
+    public required UserKey UserKey { get; init; }
+    public required TenantKey Tenant { get; init; }
+    public string? UserName { get; init; }
     public DateTimeOffset? AuthenticatedAt { get; init; }
 }
diff --git a/src/CodeBeam.UltimateAuth.Core/Contracts/Auth/AuthStateSnapshot.cs b/src/CodeBeam.UltimateAuth.Core/Contracts/Auth/AuthStateSnapshot.cs
@@ -0,0 +1,28 @@
+﻿using CodeBeam.UltimateAuth.Core.Domain;
+
+namespace CodeBeam.UltimateAuth.Core.Contracts;
+
+/// <summary>
+/// Represents the authenticated security snapshot returned by the server.
+///
+/// This object is immutable and represents a validated authentication state
+/// at a specific point in time. It contains:
+///
+/// - Identity information (who the subject is)
+/// - Authorization claims (what the subject can do)
+///
+/// This is not a live security context and must not be treated as a trust boundary.
+/// Always validate on the server.
+/// </summary>
+public sealed record AuthStateSnapshot
+{
+    /// <summary>
+    /// Authentication identity information such as UserKey, Tenant and authentication metadata.
+    /// </summary>
+    public required AuthIdentity Identity { get; init; }
+
+    /// <summary>
+    /// Authorization claims associated with the identity. These are security claims, not profile or display data.
+    /// </summary>
+    public ClaimsSnapshot Claims { get; init; } = ClaimsSnapshot.Empty;
+}
diff --git a/src/CodeBeam.UltimateAuth.Core/Contracts/Session/SessionValidationResult.cs b/src/CodeBeam.UltimateAuth.Core/Contracts/Session/SessionValidationResult.cs
@@ -19,6 +19,8 @@ public sealed class SessionValidationResult
 
     public DeviceId? BoundDeviceId { get; init; }
 
+    public DateTimeOffset? AuthenticatedAt { get; init; }
+
     public ClaimsSnapshot Claims { get; init; } = ClaimsSnapshot.Empty;
 
     public bool IsValid => State == SessionState.Active;
@@ -32,6 +34,7 @@ public static SessionValidationResult Active(
         SessionChainId chainId,
         SessionRootId rootId,
         ClaimsSnapshot claims,
+        DateTimeOffset authenticatedAt,
         DeviceId? boundDeviceId = null)
         => new()
         {
@@ -42,6 +45,7 @@ public static SessionValidationResult Active(
             ChainId = chainId,
             RootId = rootId,
             Claims = claims,
+            AuthenticatedAt = authenticatedAt,
             BoundDeviceId = boundDeviceId
         };
 
diff --git a/src/CodeBeam.UltimateAuth.Core/Domain/Session/ClaimsSnapshot.cs b/src/CodeBeam.UltimateAuth.Core/Domain/Session/ClaimsSnapshot.cs
@@ -3,6 +3,16 @@
 
 namespace CodeBeam.UltimateAuth.Core.Domain;
 
+/// <summary>
+/// Represents a deterministic, immutable collection of authorization claims.
+///
+/// This object contains only security-related claims such as:
+/// - Roles
+/// - Permissions
+/// - Policy markers.
+///
+/// It must not contain profile data, display data or identity metadata.
+/// </summary>
 public sealed class ClaimsSnapshot
 {
     private readonly IReadOnlyDictionary<string, IReadOnlyCollection<string>> _claims;
diff --git a/src/CodeBeam.UltimateAuth.Server/Authentication/UAuthAuthenticationHandler.cs b/src/CodeBeam.UltimateAuth.Server/Authentication/UAuthAuthenticationHandler.cs
@@ -40,6 +40,7 @@ public UAuthAuthenticationHandler(
         _serverOptions = serverOptions.Value;
         _clock = uauthClock;
     }
+
     protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
     {
         var credential = _transportCredentialResolver.Resolve(Context);
diff --git a/src/CodeBeam.UltimateAuth.Server/Endpoints/ValidateEndpointHandler.cs b/src/CodeBeam.UltimateAuth.Server/Endpoints/ValidateEndpointHandler.cs
@@ -88,10 +88,13 @@ public async Task<IResult> ValidateAsync(HttpContext context, CancellationToken
                 State = result.IsValid ? "active" : result.State.ToString().ToLowerInvariant(),
                 Snapshot = new AuthStateSnapshot
                 {
-                    UserKey = userKey,
-                    Tenant = result.Tenant,
-                    Claims = result.Claims,
-                    AuthenticatedAt = _clock.UtcNow,
+                    Identity = new AuthIdentity
+                    {
+                        UserKey = userKey,
+                        Tenant = result.Tenant,
+                        AuthenticatedAt = result.AuthenticatedAt
+                    },
+                    Claims = result.Claims
                 }
             });
         }
diff --git a/src/CodeBeam.UltimateAuth.Server/Services/UAuthSessionValidator.cs b/src/CodeBeam.UltimateAuth.Server/Services/UAuthSessionValidator.cs
@@ -53,6 +53,6 @@ public async Task<SessionValidationResult> ValidateSessionAsync(SessionValidatio
         //    return SessionValidationResult<TUserId>.Invalid(SessionState.DeviceMismatch);
 
         var claims = await _claimsProvider.GetClaimsAsync(context.Tenant, session.UserKey, ct);
-        return SessionValidationResult.Active(context.Tenant, session.UserKey, session.SessionId, session.ChainId, root.RootId, claims, boundDeviceId: session.Device.DeviceId);
+        return SessionValidationResult.Active(context.Tenant, session.UserKey, session.SessionId, session.ChainId, root.RootId, claims, session.CreatedAt, session.Device.DeviceId);
     }
 }
diff --git a/src/authorization/CodeBeam.UltimateAuth.Authorization/AuthorizationClaimsProvider.cs b/src/authorization/CodeBeam.UltimateAuth.Authorization/AuthorizationClaimsProvider.cs

Original file line number	Diff line number	Diff line change
`@@ -18,9 +18,9 @@ public UAuthStateManager(IUAuthClient client, IClock clock, IUAuthClientBootstra`
`18`	`18`	`_bootstrapper = bootstrapper;`
`19`	`19`	`}`
`20`	`20`
`21`		`- public async Task EnsureAsync(CancellationToken ct = default)`
	`21`	`+ public async Task EnsureAsync(bool force = false, CancellationToken ct = default)`
`22`	`22`	`{`
`23`		`- if (State.IsAuthenticated && !State.IsStale)`
	`23`	`+ if (!force && State.IsAuthenticated && !State.IsStale)`
`24`	`24`	`return;`
`25`	`25`
`26`	`26`	`await _bootstrapper.EnsureStartedAsync();`
`@@ -51,4 +51,6 @@ public void MarkStale()`
`51`	`51`	`{`
`52`	`52`	`State.MarkStale();`
`53`	`53`	`}`
	`54`	`+`
	`55`	`+ public bool NeedsValidation => !State.IsAuthenticated \|\| State.IsStale;`
`54`	`56`	`}`
Original file line number	Diff line number	Diff line change
`@@ -2,10 +2,9 @@`
`2`	`2`
`3`	`3`	`namespace CodeBeam.UltimateAuth.Client;`
`4`	`4`
`5`		`-public partial class UAuthAuthenticationState`
	`5`	`+public partial class UAuthApp`
`6`	`6`	`{`
`7`	`7`	`private bool _initialized;`
`8`		`- private UAuthState _uauthState = UAuthState.Anonymous();`
`9`	`8`
`10`	`9`	`[Parameter]`
`11`	`10`	`public RenderFragment ChildContent { get; set; } = default!;`
`@@ -21,19 +20,20 @@ protected override async Task OnAfterRenderAsync(bool firstRender)`
`21`	`20`	`_initialized = true;`
`22`	`21`	`//await Bootstrapper.EnsureStartedAsync();`
`23`	`22`	`await StateManager.EnsureAsync();`
`24`		`- _uauthState = StateManager.State;`
`25`	`23`
`26`	`24`	`StateManager.State.Changed += OnStateChanged;`
`27`	`25`	`}`
`28`	`26`
`29`		`- private void OnStateChanged(UAuthStateChangeReason _)`
	`27`	`+ private void OnStateChanged(UAuthStateChangeReason reason)`
`30`	`28`	`{`
`31`		`- //StateManager.EnsureAsync();`
`32`		`- if (_ == UAuthStateChangeReason.MarkedStale)`
	`29`	`+ if (reason == UAuthStateChangeReason.MarkedStale)`
`33`	`30`	`{`
`34`		`- StateManager.EnsureAsync();`
	`31`	`+ _ = InvokeAsync(async () =>`
	`32`	`+ {`
	`33`	`+ await StateManager.EnsureAsync();`
	`34`	`+ });`
`35`	`35`	`}`
`36`		`- _uauthState = StateManager.State;`
	`36`	`+`
`37`	`37`	`InvokeAsync(StateHasChanged);`
`38`	`38`	`}`
`39`	`39`